[SalesForce] Salesforce Certificate Exception: No subject alternative DNS name matching found

We are trying to make a callout to "https://support.dreamwares.com/payment/v1/accounts/somevalue" from Salesforce. But, we are facing an exception:

System.CalloutException: java.security.cert.CertificateException: No subject alternative DNS name matching support.dreamwares.com found.

The domain has a valid SSL certificate.

We have checked from SSL shopper: https://www.sslshopper.com/ssl-checker.html?submit=submit&hostname=support.dreamwares.com

But, still we are facing this issue

We don't understand why is Salesforce not allowing us to make call outs to this domain when it has a valid SSL certificate and the browsers allow it.

We understand that Salesforce only supports the certificates from trusted CA authorities as listed on

https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates

Our certificate provider is GoDaddy which is listed in the list in above link. Our our fingerprint matches with godaddyclass2ca

Simple steps to recreate the issue are as follows-

Create a remote site setting for URL – "https://support.dreamwares.com"

Execute the following code from developer console –

HttpRequest httpReq = new HttpRequest();
Http httpObj = new Http();
HttpResponse httpResp = new HttpResponse();

httpReq.setEndPoint('https://support.dreamwares.com/payment/accounts/orgid'); 
httpReq.setMethod('GET');

httpResp = httpObj.send(httpReq);

The execution will fail. Check debug logs for details of exception

What is the reason for this issue?

Best Answer

It turns out, as you said, that you can't have multiple certificates on the same IP address. Why every other browser and network service can handle this but Salesforce can't, I have no idea.

We were using a shared hosting provider, and once we got a dedicated IP address and put our sub-domain on that dedicated IP address, it worked.

Now, if only Salesforce would update it's error message to include the fact they don't work with wildcards or multiple certs on one IP address.

stony

Related Solutions

[SalesForce] SSL Exception when calling out: “System.CalloutException: IO Exception: java.security.cert.CertificateException: No subject alternative names present”

This is sort of a Java problem, rather than an entirely Salesforce-specific problem, so depending on how you search for the answer, it could take you a while to get to why it failed, and what the actual solution is.

Basically: The Java used by Salesforce/Apex for SSL handshaking requires that the server certificate has a SAN (Subject Alternative Name) that matches the CN (Common Name) when the CN is an IP Address. This isn't an issue when the CN is a Hostname.

As such, as you can't use any of the (not particularly nice anyway) java workarounds for this issue; the solution to this involves generating a new server certificate with extra info on it. If you control the web service you're calling out to, that should be reasonably easy - otherwise you will need to get in touch with whoever administers the server and its certs and ask them to do this, as this is a definite blocker with no known workarounds in Salesforce (unless anyone else wants to chime in with one!).

Either way, someone will need to pay for a new Public CA signed server certificate to replace the old one. Depending on your Public CA, you will need to make sure you are buying a cert type that allows SANs, and be aware there may be extra charges per SAN added, depending on your provider.

To include the required SAN using Java 7's keytool, use the flag -ext san=ip:0.0.0.0 - filling in the appropriate IP address here, that matches the CN IP address, instead of 0.0.0.0.

To include the required SAN using openssl, include the following in your openssl.conf file used for generation

[req]
req_extensions = v3_req

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = 0.0.0.0

Again, filling in the appropriate IP address that matches your CN, instead of 0.0.0.0

The Java flavoured Q&A can be found at https://stackoverflow.com/questions/8443081/

[SalesForce] java.security.cert.CertificateException: No subject alternative names present

There are a few things that could be wrong here.

1) If you're using HTTPS for the Endpoint URL, the other system must have a CA signed SSL certificate

2) Make sure you've added the endpoint URL in the Remote Site Settings in salesforce

3) If you're using Salesforce CA signed certificate, make sure you specify the cert name in your class (example) and you upload the cert file on the other server.

EDIT: I've found some good examples for different types of integration using SSL. Hope this helps.

Making authenticated web service callouts from Salesforce

Making Authenticated Web Service Callouts Using Two-Way SSL

Best Answer

Related Solutions

[SalesForce] SSL Exception when calling out: “System.CalloutException: IO Exception: java.security.cert.CertificateException: No subject alternative names present”

[SalesForce] java.security.cert.CertificateException: No subject alternative names present

Related Topic